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Description 

Method and apparatus for geometric 
key establishment protocols based on 

topological groups 

Cross Reference to Related Applications 

[000 1 ] U.S. Pat. No 5,696,826,12/1997, by Gao; U.S. Pat. No 

6,493,449,12/2002, Anshel et al; U.S. Pat. Application No 

10/605,935, 11/2003, Berenstein and Chernyak. 
Background of Invention 

[0002] Description of the Prior Art: Key Establishment Protocols 

[0003] The concepts, terminology and framework for under- 
standing cryptographic key establishment protocols is 
given in Alfred J. Menezes, Paul C. van Oorschot, and Scott 
A. Vanstone, "Handbook of Applied Cryptography," CRC 
Press (1997), pages 490-491. 

[0004] a x protocoP is a multi-party algorithm, defined by a se- 
quence of steps specifying the actions required of two or 
more parties in order to achieve a specified objective. 



[0005] a x key establishment^ protocol is a protocol whereby a 
shared secret becomes available to two or more parties, 
for subsequent cryptographic applications. 

[0006] a x key transport x protocol is a key establishment proto- 
col where one party creates or obtains a secret value, and 
securely transfers it to the other participating parties. 

[0007] a x key agreement x protocol is a key establishment proto- 
col in which a shared secret is derived by two (or more) 
parties as a function of information contributed by, or as- 
sociated with, each of the participating parties such that 
no party can predetermine the resulting value. 

[0008] a x key distribution N protocol is a key establishment pro- 
tocol whereby the established keys are completely deter- 
mined a priori by initial keying material. 

[0009] The Diffie-Hellman key establishment protocol (also called 
Exponential key exchange^) is a fundamental algebraic 
protocol. It is presented in W. Diffie and M. E. Hellman, 
"New Directions in Cryptography," IEEE Transaction on In- 
formation Theory vol. IT 22 (November 1976), pp. 
644-654. The Diffie-Hellman protocol provided the first 
practical solution to the key distribution problem, allow- 
ing two parties, never having met in advance or sharing 
keying material, to establish a shared secret by exchang- 



ing messages over an open channel. 
[0010] The security of this protocol rests on the intractability of 
the Diffie-Hellman problem and the related problem of 
computing discrete logarithms in the multiplicative group 
of the finite field GF(p) where p is a large prime, cf. Alfred 
J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, 
"Handbook of Applied Cryptography," CRC Press (1997), 
page 113. 

[0011] Most of known applications of Diffie-Hellman protocol 
deal with finite groups. Recently there emerged versions 
of Diffie-Hellman protocol for infinite, but yet discrete 
groups (see for example, US Patent N6,493,449 by Anshel 
et al). 

[0012] unlike approaches existing in the prior art, the present in- 
vention is based not on finite or discrete groups, but 
rather on the connected compact topological groups. 

[0013] B r j e f overview of connected compact topological groups 

[0014] The basic reference for concepts, terminology and histori- 
cal framework in topological group are given in the 
monograph by Philip J Higgins, Introduction to topological 
groups, Cambridge : University Press, 1974, and in the 
monograph by John F. Price, Lie groups and compact groups , 
Cambridge [Eng]; New York : Cambridge University Press, 



1977. 

[0015] a group (G,*) is defined as a set G together with a binary 
operation *: G xG -► G satisfying the following axioms: 
[0016] Associativity: For all a, b and c in G, (a * b) * c = a * (b * c). 

[0017] identity element: There is an element e in G such that for all 
a in G, e* a = a = a* e. 

[0018] inverse element: For all a in G, there is an element b in G 

such that a*b=e=b*a, where e is the identity element 
from the previous axiom. 

[0019] a topological group G is a group which is also a topological 
space such that the group multiplication G xG -► G and 
the operation of taking inverses G ^ G are continuous 
maps. (Here, G xG is viewed as a topological space by us- 
ing the product topology). 

[0020] a topological group G is called compact if the underlying 
topological space is compact, i.e., if any open cover of the 
space G has a finite sub-cover. 

[0021] a first example of compact topological groups is any finite 
group (equipped with the discrete topology). Such groups 
provide examples of compact disconnected topological 
groups. 

[0022] Another class of compact topological groups is connected 
compact topological groups. A topological group is con- 



nected lf the underlying topological space is connected. 
This class contains such groups as SO(V), where SO(V) is 
the group of all special orthogonal transformations of a 
Euclidean vector space V (therefore, there are at least as 
many compact connected topological groups as there are 
Euclidean vector spaces). 
[0023] The present invention implements the ideas and algo- 
rithms of Diffie-Hellman protocol for the case of con- 
nected compact topological groups. This approach allows 
one to bypass and, in some cases, to completely eliminate 
the computational complexity of the exponentiation oper- 
ation. Such an approach does not exist in the prior art. 
Summary of Invention 

[0024] Geometric key establishment system of the present inven- 
tion allows for easy, secure, and rapid creation and distri- 
bution of encryption/decryption keys for major cryptosys- 
tems. The procedures of creation and distribution of keys 
are performed extremely rapidly and have very low com- 
puter memory requirements. 

[0025] The present invention proposes a continuous version of 
Diffie-Hellman protocol. Based on this continuous Diffie- 
Hellman protocol, a method for public distribution of keys 
for encryption/decryption systems is implemented. An 



embodiment of the method, while providing an extremely 
high security level, is several orders of magnitude faster 
than existing key distribution systems. 

[0026] The key creation process of the system hereof uses the 
operation of linear combination with integer coefficients 
of irrational numbers and the operation of taking frac- 
tional parts of real numbers. In more advanced implemen- 
tations the operation of taking fractional parts can be re- 
placed by the exponentiation from the compact Lie alge- 
bra into the corresponding compact Lie group. 

[0027] The system of the present invention constructs encryp- 
tion/decryption keys on the fly out of a publicly chosen n- 
tuple g of irrational numbers and a pair of secret integer 
nxn matrices A and B, where the first integer matrix A is 
generated by the first communicating party and the sec- 
ond integer matrix B - by the second, and the matrices 
commute, i.e., A-B = B-A. Absolute values of matrix coef- 
ficients of these matrices are bounded by a publicly avail- 
able constant 10 N that may be arbitrarily big. Thus the 
keys created and distributed by the system hereof can be 
of any given in advance size. The present invention com- 
bines the idea of Diffie-Hellman protocol of key distribu- 
tion with the idea of the geometric cryptosystem devel- 



oped in the U.S. Patent Application Nol0/605,935entitled 
GEOMETRY-BASED SYMMETRIC CRYPTOSYSTEM METHOD 
by the authors Arkady Berenstein and Leon Chernyak. 
[0028] The security of the system of the present invention is 

based on the following well-known paradigm from Num- 
ber Theory. Let 3 , 3 2 » ... be a sequence of irrational num- 
bers (or more generally, of irrational elements of a com- 
pact Lie group) and let y be an irrational number com- 
puted with the precision of K decimal places. Then any al- 
gorithm that recognizes y as an element of the sequence 
3 , 3 » ■■■ and identifies the index n such that y= 3 must 
work at least C-10 units of time where C is an a priori 

given constant. 
Brief Description of Drawings 

[0029] FIG. 1 is a block diagram of the mathematical apparatus 
that can be used in practicing embodiments of the inven- 
tion. 

[0030] FIG. 2 is a flow diagram of the geometric key establish- 
ment system which shows generation of commuting ma- 
trices with integer coefficients; when taken with the sub- 
sidiary flow diagrams referred to therein, can be used in 
implementing embodiments of the invention. 

[0031] FIG. 3 is a flow diagram of the geometric key establish- 



ment system which shows the exponentiation of n-tuples 
of group elements into matrix powers; when taken with 
the subsidiary flow diagrams referred to therein, can be 
used in implementing embodiments of the invention. 
[0032] FIG. 4 is a flow diagram of the geometric key establish- 
ment system which shows the fractional multiplication of 
n-tuples of real numbers by integer nxn matrices; when 
taken with the subsidiary flow diagrams referred to 
therein, can be used in implementing embodiments of the 
invention. 

[0033] FIG. 5 is a block diagram of the geometric key establish- 
ment system that can be used in practicing ^-dimensional 
embodiments of the invention. 

[0034] FIG. 6 is a block diagram of the geometric key establish- 
ment system that can be used in practicing one- 
dimensional embodiments of the invention. 

[0035] FIG. 7 is a block diagram of the geometric key establish- 
ment system that can be used in practicing preferred n- 
dimensional embodiments of the invention in the case 
when the group operation consists of taking the fractional 
part of sum of real numbers. 

[0036] geometric key establishment system the is a block dia- 
gram of FIG. 8that can be used in practicing preferred 



one-dimensional embodiments of the invention in the 

case when the group operation consists of taking the 

fractional part of sum of real numbers. 
Detailed Description 

[0037] The key creation and distribution techniques of an em- 
bodiment of the geometric key establishment system 
hereof are based on the operation of multiplication of real 
numbers by integers and the operation of evaluating frac- 
tional parts of real numbers. More specifically, the n- 
dimensional embodiment of the system hereof is based 
on the operation of multiplication of real vectors by inte- 
ger matrices and on the operation of evaluating fractional 
parts of coordinates of the vectors. 

[0038] | n more advanced implementations the operation of eval- 
uating fractional parts can be replaced by the exponentia- 
tion from the compact Lie algebra into the corresponding 
compact Lie group. 

[0039] a preferred exemplary embodiment of such an apparatus 
is depicted with block diagram in FIG. 1, and is described 
as follows. 

[0040] |_ e t G be a compact connected group whose law of com- 
position 
[OO 41 ] GxG-»G 



[0042] j S feasibly computable. There are among such groups the 
special orthogonal group, the unitary group and their 
closed connected subgroups. The block 101 generates 
such groups. Since each such group has uncountably 
many elements, the block 102 selects an element g of G 
essentially at random. The block 103 generates a n-tuple 
9 = (g ,9 >■■■> 9 ) of pairwise commuting elements g , g 

1 2 n 1 

g of G. This generator may proceed by choosing a 

2 n 

commutative subgroup of G and then selecting elements g 
, g ,...,g from this subgroup. Alternatively, the group 

12 n 

generator 101 can start with choosing a commutative 
group G. The block 104 is designed for independent gen- 
eration of commuting integer matrices, which procedure 
is depicted in more details in FIG. 2. The block 105 is de- 
signed for raising each n-tuple g = (g , g g ) into an 

12 n 

integer matrix power, which procedure is depicted in 
more details in FIG. 3. The block 106 rounds each element 
g of the group G to the nearest element [g] of G. This pro- 
cedure is depicted in more details in subsequent flow dia- 
grams of FIG. 7 and FIG. 8, where, as a preferred embodi- 
ment of the invention hereof, the group operation of G 
consists of taking the fractional part of sum of real num- 
bers. The block 107 applies the procedure of rounding of 



the block 106 to each coordinate of a given n-tuple g = (g 
i' g y-' g J- 

l z n 

[0043] FIG. 2 illustrates a basic procedure of generation of com- 
muting nxn matrices A and B independently by the first 
and the second communicating parties. 

[0044] | n t he block 201 a public nxn matrix S is selected. 

[0045] | n the block 202 the first communicating party chooses at 

random secret integers a , a , a , and in the block 

a o 1 n -1 

204 creates a matrix A according to the formula: 

[0046] A =a -\ + a -S+a -S 2 + ... + a -S"" \ 
0 12 n- 1 

[0047] in a similar manner and independently, in the block 203 
the second communicating party chooses at random se- 
cret integers b ,b ,...,b , and in the block 205 cre- 

a 0 1 n - l' 

ates a matrix B according to the formula: 
[0048] B =fc -\ + b -S+b -S 2 + ... + b -S n_1 . 

0 1 2 n - 1 

[0049] By the design, the matrices A and B commute: A-B=B-A. 

[0050] FIG. 3 represents a basic procedure of raising a n-tuple g 

into the A-th power, where A is an nxn matrix. 
[0051] in the block 301 an n-tuple g = (g , g g ) of elements 

12 n 

of the group G is generated. 
[0052] independently, in the block 302 an nxn matrix A is gener- 
ated. 



[0053] And, in the block 303 the power g A is computed accord- 
ing to the formula: 

[0054] g A =(y y y ), 
12 n 

[0055] W here 

[0056] y =g A1 'J. g A2 -J,., g An -J 

j a l a 2 a n 

[0057] f or j _ i j 2, n , where A., is the (ij)-th matrix coefficient 
of A. 

[0058] FIG. 4 represents a basic procedure of implementing the 
routine of FIG. 3 in the case when the group operation 
consists of taking the fractional part of sum of real num- 
bers. 

[0059] | n the block 401 an ^-dimensional real vector g = (g^ g 
g ) is generated. 

2 n 

[0060] independently, in the block 402 an nxn matrix A is gener- 
ated. 

[0061] And, in the block 403 the fractional product {g-A} is com- 
puted according to the formula: 

[0062] {0. A }=(y y y ), 

12 n 

[0063] W here 

[0064] y ={g A + g A +...+ g A } 

j 1 1J 2 2J n n j 

[0065] f or j - i j 2, n, where A is the (ij)-th matrix coefficient 

U 



of A, and where {z} stands for the fractional part of the 
real number z(for example, {1.7}=0.7, {-1.7}=0.3). 

[0066] FIG. 5 illustrates creation, establishment, and distribution 
of a geometric key in an ^-dimensional embodiment of 
the system of the present invention. It refers to the rou- 
tines illustrated by other referenced flow diagrams (FIG. 1, 
FIG. 2, FIG. 3) which describe features in accordance with 
an embodiment of the invention. 

[0067] The block 501 represents generation of the public com- 
pact connected commutative topological group G and a 
choosing at random a public n-tuple g = (g , g g ) of 

12 n 

elements of G. A public nxn matrix S is also chosen in this 
block. Both, g and S are to be used by both communicat- 
ing parties. 

[0068] The block 502 represents the routine that can be used by 
the first communicating party for generating a private 
matrix A according to the routine of FIG. 2. 

[0069] Similarly, the block 503 represents the routine that can be 
used by the second communicating party for generating a 
private matrix B according to the routine of FIG. 2. 

[0070] The block 504 represents computation (by the first com- 
municating party) of the n-tuple g A according to the rou- 

A 

tine of FIG. 3, and rounding g to the nearest n-tuple [g 



]. The rounded n-tuple [g ] is then transmitted over an 
open (public) channel to the second communicating party. 
[° 071 ] Similarly, the block 505 represents computation (by the 
first communicating party) of the «-tuple g according to 
the routine of FIG. 3, and rounding g to the nearest n- 

B B 

tuple [g ]. The rounded w-tuple [g ] is then transmitted 
over an open (public) channel to the first communicating 
party. 

[0072] The block 506 represents the routine that can be used by 
the second communicating party for generating the n- 
tuple [g A f (according to the routine of FIG. 3) and round- 
ing it to the nearest n-tuple [[g A ] B ]. 

[° 073 ] Similarly, the block 507 represents the routine that can be 
used by the first communicating party for generating the 
H-tuple [g B ] A (according to the routine of FIG. 3) and 

B A 

rounding it to the nearest n-tuple [[g ] ]. 

ABBA 

[0074] By the design, the n-tuples [[g ] ] and [[g ] ] are equal, 
and thus comprise the common secret geometric key in 
possession of both communicating parties. 

[0075] FIG. 6 illustrates creation, establishment, and distribution 
of a geometric key in a one-dimensional embodiment of 
the system of the present invention. It refers to the rou- 
tines illustrated by other referenced flow diagrams which 



describe features in accordance with an embodiment of 
the invention. 

[0076] The block 601 represents generation of the public com- 
pact connected topological group G and a choosing at 
random a public element g of C, which g is to be used by 
both communicating parties. 

[0077] The block 602 represents the routine that can be used by 
the first communicating party for generating a private in- 
teger a, computing the a-thpower g a of g, and rounding g a 
to the nearest element [g a ] in C. This rounded element [g a ] 
is then transmitted over an open (public) channel to the 
second communicating party. 

[° 078 ] Similarly, the block 603 represents the routine that can be 
used by the second communicating party for generating a 
private integer b, computing the fr-thpower g b of g, and 
rounding g b to the nearest element [g b ] in G. This rounded 

b 

element [g ] is then transmitted over an open (public) 
channel to the second communicating party. 
[0079] The block 604 represents the routine that can be used by 
the second communicating party for generating the ele- 

el b cl b 

ment [g ] and rounding it to the nearest element [[g ] ]. 
[0080] Similarly, the block 605 represents the routine that can be 
used by the first communicating party for generating the 



element [g ] a and rounding it to the nearest element [[g ] 

"i. 

sl b b 3. 

[0081] By the design, the elements [g ] and [g ] are equal in G, 
and thus comprise the common secret geometric key in 
possession of both communicating parties. 

[0082] FIG. 7 represents creation, establishment, and distribution 
of a key in an embodiment of the geometric key estab- 
lishment system of present invention. 

[0083] First, public natural numbers D, N, K are generated in the 
block 701. Next, a public w-dimensional decimal vector g 
= (g ,g ,...,g ) having D+2N+K after dot is generated in 

12 n 

the same block 701. And an integer nxnmatrix S is cho- 
sen. 

[0084] Then in the block 702 private integers a , a , a 

(each between -10 N and 10 N ) are generated at random; 
next, a private matrix A is generated according to routine 
of FIG. 2. 

[0085] | n a similar manner, in the block 703 private integers b , 

N N 

b , b (each between -10 and 10 ) are generated at 
random; next, a private matrix B is generated according to 
routine of FIG. 2. 
[0086] | n the block 704 the fractional vector {g*A} is computed 
according to the routine of FIG. 4. Next, each coordinate 



of the resulted vector is rounded to D+N+K decimal 
places. The rounded fractional vector {g*A}is then trans- 
mitted to the second communicating party. 

[0087] | n a similar manner, in the block 705 the fractional vector 
{g*B} is computed according to the routine of FIG. 4. First, 
the vector g is multiplied by the matrixB. Next, each coor- 
dinate of the resulted vector is rounded to D+N + K deci- 
mal places. The rounded fractional vector {#*B}is then 
transmitted to the second communicating party. 

[0088] The block 706 represents the routine that can be used by 
the second communicating party for computing the frac- 
tional vector {{g«A}«B}. The loop 708 is used in the case 
when the vector {{g«A}«B} is not (K,D)-consistent (that is, 
in the case when the sequence of the digits d ,d , ... 

M 3 K+l K+2 

d of at least one coordinate of the vector {{#«A}«B} is 

k+d w 

either 0, 0, 0 or 9, 9, ...,9.) The loop 708 is continued 
until the vector {{g«A}«B} becomes (K,D)-consistent. [The 
probability of a vector {{g«A}«B} to be not (K,D)-consistent 
is extremely low. Namely, this probability is measured as 
at most l-Q-2-10 ) . The probability of the need for the 
second run of the loop 708 is measured as at most 
(l-(l-2-10" D ) n ) 2 ]. The block 710 is then entered, this 
block represents the generation of a vector y which is the 



rounding of the (K, D)-consistent vector {{g«A}«B} to K 
decimal places. 

[0089] | n a similar manner the block 707 represents the routine 
that can be used by the first communicating party for 
computing the fractional vector {{#«B}«A}. The loop 709 is 
used in the case when the vector {{g*B}*A} is not 
(K,D)-consistent (that is, in the case when the sequence of 
the digits d ,d , ... d of at least one coordinate of 

3 K+l K+2 K+D 

the vector {{g«B}«A} is either 0, 0, 0 or 9, 9, 9.) The 
loop 709 is continued until the vector {{g*B}« A} becomes 
(K,D)-consistent. [The probability of a vector {{g*B}«A} to 
be not (K,D)-consistent is extremely low. Namely, this 
probability is measured as at most l-(l-2-10~ ) . The 
probability of the need for the second run of the loop 709 

~ D n 2 

is measured as at most (l-Q-2-10 ) ) ]. The block 711 is 

then entered, this block represents the generation of a 

vector y' which is the rounding of the (K, D)-consistent 

vector {{g«B}«A} to K decimal places. 
[0090] By the design, the vectors y and y' are equal, and thus 

comprise the common secret key in possession of both 

communicating parties. 
[0091] FIG. 8 represents creation, establishment, and distribution 

of a key in an embodiment of the geometric key estab- 



lishment system of present invention. 
[0092] First, a public real number oc and public natural numbers 

D, N, K are generated in the block 801. 
[0093] Then in the block 802 a private integer a (between -10 N 

N 

and 10 ) is generated at random, and the number {aa}\s 
computed and rounded to D+N + K decimal places by the 
first communicating party. The rounded number {aa}\s 
then transmitted to the second communicating party. 
[0094] | n a similar manner, in the block 803 a private integer b 

N N 

(between -10 and 10 ) is generated at random, and the 
number {ab}is computed and rounded to D+N + K decimal 
places by the second communicating party. The rounded 
number {cnb}\s then transmitted to the first communicating 
party. 

[0095] The block 804 represents the routine that can be used by 
the second communicating party for computing the num- 
ber {{aa}b}. The loop 806 is used in the case when the 
number {{aa}b} is not (K, D)-consistent (that is, in the case 
when the sequence of the digits d ,d , ... , d of 

3 K+l K+2 K+D 

the number {{aa}b} is either 0, 0, ...,0 or 9, 9, ...,9). The 
loop 806 is continued until the number {{aa}b} becomes 
(K, D)-consistent. [The probability of a number {{aa}b} to 
be not (K,D)-consistent is extremely low. Namely, this 



probability is measured as at most 2-10 D . The probability 
of the need for the second run of the loop 806 is mea- 

-D 2 

sured as at most (2-10 ) ]. The block 808 is then en- 
tered, this block represents the generation of a number y 
which is the rounding of the (K, D)-consistent number {{a 
a}b} to K decimal places. 
[0096] | n a similar manner block 805 represents the routine that 
can be used by the first communicating party for comput- 
ing the number {{ab}a}. The loop 807 is used in the case 
when the number {{ab}a} is not (K,D)-consistent (that is, in 
the case when the sequence of the digits d ,d , ... , d 

3 K+l K+2 K+D 

of the number {{ab}a} is either 0, 0, ...,0 or 9, 9, 9). 
The loop 805 is continued until the number {{aa}b} be- 
comes (K,D)-consistent. [The probability of a number {{ab} 
a} to be not (K,D)-consistent is extremely low. Namely, 
this probability is measured as at most 2-10°. The prob- 
ability of the need for the second run of the loop 807 is 
measured as at most (2-10~ D ) 2 ]. The block 809 is then en- 
tered, this block represents the generation of a number y' 
which is the rounding of the (K,D)-consistent number {{a 
b}a) to K decimal places. 
[0097] By t he design, the numbers y and y' are equal, and thus 
comprise the common secret key in possession of both 



communicating parties. 



[0098] 

[0099] The security of the system of the present invention comes 
from the built-in geometric density of certain sequences 
of irrational numbers in the semi-open interval [0, 1) of 
the real line. In other words, security of the proposed sys- 
tem is guaranteed by the obvious mathematical fact that 
there is no any a priori known general distribution pattern 
for members of certain sequences of irrational numbers. 

[0100] M 0re precisely, let p , P 2 , ... be a sequence of irrational 
numbers (or more generally, of irrational elements of a 
compact Lie group) and let y be an irrational number 
computed with the precision of K decimal places. Then 
any algorithm that recognizes yas an element of the se- 
quence P , P , ... and identifies the index n such that y= P 

12 n 

K 

must work at least C-10 units of time where C is an a pri- 
ori given constant. 
[0101] Apparently, approaches that are the closest to the present 
invention are developed in U.S. Pat. No 
5,696,826entitledMETHOD AND APPARATUS FOR EN- 
CRYPTING AND DECRYPTING INFORMATION USING A DIGI- 
TAL CHAOS SIGNAL by Gao, in U.S. Pat. No 6,493,449 en- 
titledMETHOD AND APPARATUS FOR CRYPTOGRAPHIC ALLY 



SECURE ALGEBRAIC KEY ESTABLISHMENT PROTOCOLS 
BASED ON MONOIDS by Anshel et al, and in U.S. Patent 
Application Nol0/605,935entitled GEOMETRY- BASED 
SYMMETRIC CRYPTOSYSTEM METHOD by Berenstein and 
Chernyak. 

[0102] The idea of using fractional parts of multiples of given ir- 
rational numbers is not new in cryptography. This idea is 
used to obtain a uniform distribution of numbers in the 
unit interval. It was used, for example, in the patent by 
Gao. However, this is perhaps the only similarity between 
these previous works and the system of the present in- 
vention. In the system hereof, fractional parts of multiples 
of given irrational numbers are never used for obtaining a 
uniform distribution of numbers, but rather for creation of 
a deterministic (non-random) keys. 

[0103] The idea of using infinite groups for key establishment an 
exchange is relatively new. It is presented in the patent by 
Anshel et al. However, the present invention is the first 
where continuous, topological groups are used for key es- 
tablishment and exchange. In patent application by 
Berenstein and Chernyak the geometric continuity is uti- 
lized for constructing private encryption systems. 

[0104] A n embodiment of the system hereof deals with a publicly 



chosen real number a and a pair of secret integers a and 
b, where the first integer a is generated by the first com- 
municating party and the second integer b - by the sec- 
ond communicating party. Absolute value of each of these 
integers is bounded by a publicly available constant 10 N 
that may be arbitrarily big. Thus the keys created and dis- 
tributed by the system hereof can be of any given in ad- 
vance size. The present invention combines the idea of 
Diffie-Hellman protocol of key establishment with the 
idea of the geometric cryptosystem developed in the 
patent application No 10/605,935 by the authors Arkady 
Berenstein and Leon Chernyak. 
[0105] | n this embodiment the real number occanbe chosen es- 
sentially at random from the infinite set of known real 
numbers. This choice can include such numbers as, for 
example, Vm , where m is any natural number that is not a 
complete square, or, more generally, ocean be any irra- 
tional real root of an algebraic equation with integer coef- 
ficients. Also a can be chosen, for example, as tt" or e n , 
where n is any natural number, or, more generally, a can 
be any polynomial with integer coefficients evaluated at a 
given transcendental number. Another possible source of 
irrational numbers may include, for example, sin(«), cos( 



), ln(rt), where n is any natural number; or, more generally, 
a can be any transcendental function evaluated at a given 
natural number. 

[0106] |_ e t { x } be the fractional part of a real number x. By defini- 
tion, for each real number x, the fractional part {x} is given 
by: 

[0107] {*}= *-[*], 

[0108] where [x] is the integer part of x, that is, [x] is the greatest 
integer that is less or equal x. If the numbers a and b are 
integers having at most N decimal digits each (that is, \a\ 

N N 

< 10 and \b\ < 10 ) and each of the numbers {aa} and {a 
b} is rounded to D+N+K decimal places after dot (where 
D, N, and K are natural numbers each greater than 1), 
then the created and distributed key, which is {aab}, will 
have K correct decimal places after the dot. These K cor- 
rect digits serve as the encryption/decryption key of ma- 
jor cryptosystems. 
[0109] The security of the system of the present invention is 

based on the following well-known paradigm from Num- 
ber Theory. Let P , P 2 , ...be a sequence of irrational num- 
bers (or more generally, of irrational elements of a com- 
pact Lie group) and let y be an irrational number com- 
puted with the precision of K decimal places. Then any al- 



gorithm that recognizes yas an element of the sequence p 
, 3 , ...and identifies the index n such that y= 3 must 

1 K 2 1 n 

work at least C-10 units of time where C is an a priori 
given constant. 

[0110] | n particular, the security of the system hereof is based on 
the fact that there cannot be any a priori known general 
distribution pattern of fractional parts of multiples of each 
taken at random irrational number a. Therefore, the secu- 
rity level of the system hereof can be measured as a num- 
ber of operations needed for reconstruction of the num- 
ber a out of a given fractional number {aa} calculated with 
the precision of D+N+K decimal places. The above implies 
that the only way to reconstruct the number a out of a 
given fractional number {aa} is to list all possible numbers 
{al_}, where L is any integer between -10 N and 10 N . The 
number of such numbers L is 2-10 N - 1. 

[0111] For a cryptanalyst, the only alternative to listing all possi- 
ble numbers a is to list all possible shared K-digits keys. 

K 

The number of such keys is 10 . Therefore, the security 
level of the system hereof can be measured as the mini- 
mum of the two numbers 2-10 N - 1 and 10 K . 
[0112] The processor time required for creation and distribution 
of one geometric key is at most quadratic in N and K, or, 



more precisely, is at most N(2D + 3N + 2K) units of pro- 
cessor time. This speed is several orders of magnitude 
higher than in existing key establishment systems. 
[° 113 ] In creating geometric key establishment system in accor- 
dance with an embodiment hereof, a first step is to 
choose publicly available parameters of the system: a real 
number a and natural numbers D, N, K, each greater than 
1, where D stand for the size of the error control buffer, N 
stands for the maximum number of decimal places in 
each secret parameter a and b, and K stands for the key 
length. 

[0114] An embodiment of the geometric key establishment sys- 
tem hereof relies on the concept of (K, D)-consistent 
numbers. An infinite decimal fraction 5 = 0. d d d ... is 

12 3 

said to be (K, D)-consistent if the sequence of the digits d 
, d , d is neither 0, 0, 0 nor 9, 9, 9. 

K+l' K+2' ' K+D ' ' ' ' ' ' 

[0115] jo implement the key creation and key distribution of this 
example, the first communicating party, call it Alice, 
chooses a secret integer a between -10 N and 10 N (i.e., a 
has at most N decimal places), calculates the number p, 
which is the fractional part {oca} rounded to D+N+K deci- 
mal places, and sends so calculated rounding pof {aa} to 
the second the first communicating party, call it Bob. [It is 



assumed in this example that Alice and Bob share the 
publicly available parameters aand D, N, K]. Simultane- 
ously and independently Bob chooses a secret integer b 
between -10 N and 10 N (i.e., b has at most N decimal 
places), calculates the number 3\ which is the fractional 
part {ab} rounded to D+N+K decimal places, and sends so 
calculated rounding 3' of {ab} to Alice. Upon receiving 3 
from Alice, Bob multiplies 3 by b, computes the fractional 
part {fib} with the precision of K + D decimal places after 
the dot. If {pM is (K, D)-consistent, Bob computes the 
number y that is the rounding of {fib} to the K digits after 
the decimal dot. This number yis the geometric key in 
possession of Bob. Upon receiving fi 1 from Bob, Alice mul- 
tiplies 3' by a, computes the fractional part {fi'a} with the 
precision of K + D decimal places after the dot. If {fi'a} is 
(K, D)-consistent, Alice computes the number y' that is 
the rounding of {fi'a} to the K digits after the decimal dot. 
Then Alice computes the number y' that is the rounding of 
{fi'a} to the K digits after the decimal dot. This number y' 
is the geometric key in possession of Alice. In this case 
(which is the general case), the geometric key yis equal to 
the geometric key y'. In those (extremely rare) cases when 
{3M is not (K, D)-consistent, the geometric key has to be 



redistributed because otherwise it may happen that y^Y'- 
In order to avoid such a situation, Alice and Bob choose 
new secret numbers a and b respectively (while keep- 
ing the same a and D, N, K) and repeat the above steps 
until they get a new geometric key y = Y' (provided that 
the new number {(^ b } is (K, D)-consistent). 
[0116] The probability of the need for such redistribution is ex- 
tremely low and is measured as at most 2-10°. The prob- 
ability of the need for the second key distribution is mea- 

-D 2 

sured as at most (2-10 ). 

[0117] The embodiment of the system hereof is based on the fol- 
lowing mathematical argument. 

[0118] The definition of the fractional part {x} of x implies that {x} 
always belongs to the semi-open interval [0, 1), and that 

[0119] {x+c} = {x} 

[0120] f or anv integer c. In its turn this implies that 

[0121] {{x}d} = {xd} 

[0122] for any integer d. Therefore, 
[0123] {{aa]b} = {nab} = {aba} = {{ab}a}. 

[0124] since -10 N < a < 10 N , and -10 N < b < 10 N ; and both {aa} 
and {ab} are computed with D+N+K correct decimal 



places after dot, it is asserted that the left hand side {{aa} 
b} and the right hand side {{ab}a} are equal in the first K 
decimal places after dot if {oca} and {ab} are both (K, 
D)-consistent. In order to prove the assertion, the follow- 
ing notation is introduced. Let {oca} be rounded to D+N+K 
correct decimal places, i.e., to the number 
[0125] 3 = {a fl } + e-10" (D+N+K) , 

[0126] where | 8| < 0.5, and let {ab} be also rounded to N + D + 

K correct decimal places, i.e., to the number 
[0127] 3' = {af ? } + e , -10" (D+N+K) , 

[0128] where I 6' | < 0.5. Then {{aa}b} is calculated as {|3Z?} and {{a 

b}a} is calculated as {fib}. Furthermore, 
[0129] m = {{{aa} + e-10 " ( D+N+K )b] = {{aa}b +9-10 " ( D+N+K >■ 

b} = 

[0130] = { {aa } b +6 -10" ° " K }= {{{aa}b}+Q -10 " ° " K } = {{aab}+Q 

[0131] where 6 is some number such that I 9 | < 0.5. 

l l 



[0132] Similarly 

-(D+N+K) v , „ />,,,*-( D+N+K 

= tuaoi + d -iu 

■a} = 



[0133] {p a } = {({ ab } + e«. io " ( U+N+K V} = {{0Lb}a +9'-10 

) 



[0134] = {{ ah } a + e' .10 _D_K } = {{{a^}+9* -10 ~ D_K } = {{aM+6 1 



[0135] where 6' is some number such that | 9' | < 0.5. 

l l 

[0136] |_ e t y be the rounding of {$b} to K decimal places after dot 
and let y' be rounding of {3'a}to K decimal places after 
dot. The above calculation of {3M and {$'a} ensures that, if 
y^y', then necessarily one of these numbers, say{pM, has 
all digits equal 9 at each z-th decimal place after dot, 
when z = K + 1, K + 2, .... , K + D, and, at the same time, 
the second of these numbers, i.e., {p'a}, has digits equal 0 
at each z-th decimal place after dot, when / = K + 1, K + 
2, ... , K + D. In other words, y^y' implies that both {pM 
and {p'<a} are not (K, D)-consistent. Therefore, if {3M is (K, 
D)-consistent, y= y\ Similarly, y= y 1 if {$'a} is (K, 
D)-consistent. This proves the assertion. 

[° 137 ] In creating geometric key establishment system in accor- 
dance with an embodiment hereof (and with the following 
small numbers for ease of illustration), a first step is to 
choose publicly available parameters of the system: an 
real number a and integer parameters D, N, K greater 
than 1 each. Take, for example, a= V2, N=K=8, 0=2. 
Next, suppose that Alice chooses the number a = 48 176 
925. Alice calculates the number {aa} with the precision 
D+N + K = 18 by p= {aa} = {V2-48 176 925} = 
0.728431422183990298 and sends this number 3 to Bob. 



Suppose that at the same time Bob chooses the number b 
= 19082791. Bob calculates the number {ab} with the 
precision D+N+K = 18 by 3' = {ab} = {V2-19082791} = 
0.840131236839417426 and sends this number 3' to Al- 
ice. Upon receiving the number pfrom Alice, Bob multi- 
plies pby b, computes the fractional part {pM with the pre- 
cision K + D = 10 decimal places after dot: 
[0138] {$ b } = {0.728431422183990298 -19082791} = 
0.5873698504. 

[0139] since this number is (K, D)-consistent, i.e., it has digits 0 

th th 

and 4 at 9 and 10 places after dot, the first K = 8 digits 
of this number is the geometric key in possession of Bob: 
[0140] y= 0.58736985. 

[0141] Upon receiving the number 3' from Bob, Alice multiplies p' 
by a, computes the fractional part {p'a} with the precision 
K + D = 10 decimal places after dot: 

[° 142 ] {Pa} = {0.84013123683941742596 ■ 48 176 925} = 
0.5873698504. 

[°1 43 ] Since this number is (K, D)-consistent, i.e., it has digits 0 

th th 

and 4 at 9 and 10 places after dot, the first K = 8 digits 
of this number is the geometric key in possession of Alice: 
[0144] Y ' = 0.58736985. 



[0145] 
[0146] 

[0147] 
[0148] 



[0149] 
[0150] 



Thus, y= Y' is the geometric key shared by Alice and Bob. 
This key can be used in any major symmetric cryptosys- 
tem. 

In a further embodiment of the invention the real number 
a is replaced by the 2-dimensional real vector g=(g^ g 2 ) 
in order to further enhance the security level of the pro- 
posed system. 

A 2-dimensional embodiment of the system hereof works 
with the semi-open unit square and integer 2x2 matrices 
A and B of the form: 









B 





[° 151 ] where a , a b b are arbitrary integers. This structure 

o i, o, 1 1 3 

of A and B guarantees their commutation: A-B = B-A. 

[0152] Absolute values of each integer a ,a b b are 

3 o i, o, 1 

N 

bounded by a publicly available constant 10 that may be 
arbitrarily big. Thus the keys created and distributed by 
the system hereof can be of any given in advance size. 

[0153] | n this embodiment the vector g=(q^ g 2 ) has coordinates 
g i and which are arbitrary real numbers, that is, g is an 
arbitrary point of plane. 

[0154] |_ et [ x ] De t he fractional part of a real number x. By defini- 
tion, for each real number x, the fractional part {x} is given 
by: 

[0155] { x }= x -[ x ], 

[0156] where [x] is the integer part of x, that is, [x] is the greatest 
integer that is less or equal x. 

[0157] if the numbers a ,a and b b are integers having at 

0 1 o, l 3 a 

most N decimal digits each (that is, \a | < 10 , \a | < 10 

N N 

and \b | < 10 , \b | < 10 ) and each coordinate of the 

o 1 

vectors 

[0158] {^•A}=({g i a Q + g 2 a a ^ Q 2 a Q }) and {^•B}=({g i b 

+ 9 b },{- g b + g b }) 

o a 2 1 a l 1 a 2 o 

[0159] j S rounded to D+N+K decimal places after dot (where D, 
N, and K are natural numbers each greater than 1), then 



the created and distributed key, which is the vector { 
g«A«B}, in each of its coordinates will have K correct deci- 
mal places after the dot. These 2K correct digits serve as 
the encryption/decryption key of major cryptosystems. 

[0160] The security of this two-dimensional embodiment is fur- 
ther enhanced even in comparison with the high security 
of the one-dimensional embodiment. 

[° 161 ] In creating geometric key establishment system in accor- 
dance with the 2-dimensional embodiment hereof, a first 
step is to choose publicly available parameters of the sys- 
tem: a real vector g=(q^ g^ and natural numbers D, N, K, 
each greater than 1, where D stand for the size of the er- 
ror control buffer, N stands for the maximum number of 
decimal places in each secret parameter a and b, and K 
stands for the key length. 

[0162] This embodiment of the geometric key establishment sys- 
tem hereof relies on the concept of (K, D)-consistent vec- 
tors. An infinite decimal fraction 8 = 0. d d d ... is said 

12 3 

to be (K, D)-consistent if the sequence of the digits d , 

K+ 1 

d , d is neither 0, 0, 0 nor 9, 9, 9. We say 

K+2' ' K+D ' ' ... y 

that a vector (x ,x ) is (K,D)-consistent both x and x 

l' 2 ' 1 2 

are (K,D)-consistent numbers. 
[0163] To implement the key creation and key distribution of this 



example, the first communicating party, call it Alice, 
chooses a pair of secret integers (a , a ) each between - 

N N 

10 and 10 (i.e., each of these integers has at most N 
decimal places). Then Alice calculates the vector (y , y ), 
where y is {g a +g a } rounded to D+N + K decimal 

7 1 a l 0 a 2 1 

places and y is{-g a + g a } rounded to D+N+K dec- 

K 2 1 1 2 0 

imal places; and sends so calculated vector (y , y ) to the 
second communicating party, call it Bob. [It is assumed in 
this example that Alice and Bob share the publicly avail- 
able parameters g=(q^ and D, N, K.] 
[° 164 ] Simultaneously and independently Bob chooses a pair of 
secret integers (b , b ) each between -10 N and 10 N (i.e., 
each of these integers has at most N decimal places). 
Then Bob calculates the calculates the vector (z , z ), 

l' 2 ' 

where z is {g b + g b } rounded to D+N+K decimal 

1 3 i o 3 2 1 

places and z is{- g b + g b } rounded to D+N+K 

2 1 1 2 0 

decimal places; and sends so calculated so calculated vec- 
tor (z , z ) to Alice. 

1 2 

[0165] Upon receiving the vector (y , y ) from Alice, Bob calcu- 
lates the vector (k , k ) by the formula: 

[° 1 66] k ) = ({y +y }, {- y Z?+y }). 

1 2 ' 1 0 2 1^1 1 7 2 0 

[0167] |f the vector (k , k ) is (K, D)-consistent then Bob calcu- 
lates the geometric key (s , 5 ) by rounding each coordi- 



nate of (k , k ) to K decimal places. Otherwise, he 
restarts the protocol. 
[0168] upon receiving the vector (z , z ) from Bob, Alice calcu- 
lates the vector (k' , k' ) by the formula: 

1' 2 7 

[0169] ( k > k - ) = ({ z fl +z {- z fl+z fl }). 

l' 2 1 0 2 1' 11 2 0 

[0170] |f t he vector (k' , k' ) is (K, D)-consistent then Alice cal- 
culates the geometric key (s'^ s' ) by rounding each co- 
ordinate of (k' , k' ) to K decimal places. Otherwise, she 
restarts the protocol. 

[0171] The mathematical argument presented below proves that 
the geometric key (s , s ) in possession of Bob to the ge- 
ometric key (s' t s' ) in possession of Alice. 

[0172] | n those (extremely rare) cases when (k , k ) is not (K, 
D)-consistent, the geometric key has to be redistributed 
because otherwise it may happen that (s , s ) ^ (5' , s' 2 ). 
In order to avoid such a situation, Alice and Bob choose 

new pairs of secret numbers (a ' , a ' ) and (b ' ,b ' ) re- 

r v 0 r 0 1 

spectively (while keeping the same ^=(g , g 2 ) and D, N, K) 
and repeat the above steps until they get a new geometric 
key (s , s ) = (5' , 5 r ) (provided that the new vector (k , 
is (K, D)-consistent). 
[0173] The probability of the need for such redistribution is ex- 
tremely low and is measured as at most 4-10" . The prob- 



ability of the need for the second key distribution is mea- 

-D 2 

sured as at most (4-10 ) . 

[0174] The embodiment of the system hereof is based on the fol- 
lowing mathematical argument. 

[0175] Proposition. Let be P=(P , P P ),Q=(Q , Q Q ), and 

12 n 12 n 

I=(L , L L ) be n-tuples of natural numbers. Let a and 

l' 2' n K 

3 be nxn matrices with natural coefficients such that: 

[0176] Q _1 .(X<L ~ 1 J P _1 -3<I ~\ 

[0177] Then for any real vector g = (g , g ,...,g ) any nxn matri- 

12 n 

ces A and B with integer coefficients such that A-B = B-A 
and 

[0178] | A |<a , | B |<p 

■j u u u 

[0179] (for all i = 1,2,.., n, j = l,2,..,w) one has: either at least one 
coordinate of [{([{g-A}] p )-B}] L equals 0,or at least one coor- 
dinate of[{([{#-B}] Q )-A}] L equals 0, or 

[° 18 °] {([{^A}] p )-B}-{([{^B}] Q )-A}=e-L ~\ 

[0181] Proof. By definition, one has: 

[° 182 ] l{g-A}]={g-A}+Q { p-\ [{0-B}] Q ={0-B}+e 2 -Q~\ 

[0183] where -V2<Q <Yi and -Yi<Q <Yi. Therefore, 

1 2 

[0184] ([{^A}] p )-B=({^A}+e i -P _1 )-B={^A}-B +6 i -P" 1 -B= {#-A}-B +E 
l' 



[0185] where £ =6 -P _1 -B. 

1 l 

[0186] Similarly, 

[° 187 ] ([{^B}] Q )-A=({^B}+e 2 -Q _1 )-A={^B}-A +6 2 -Q _1 -A= fo-BJ-A + 

E , 

2 

[0188] where £ =6 -Q _1 -A. 

2 2 

[0189] By the assumptions, one has: 

[0190] |£ | = |9 -P _1 -B |<l/2-|P" 1 -B|<l/2-P" 1 -p<l/2-l" 1 
[0191] and 

[0192] |£ | = |9 .Q _1 -A |<l/2-|Q" 1 -A|<l/2-Q" 1 -a<l/2-l" 1 . 

[0193] in its turn, this implies that either !([{#■ A}] p )-B| is not 

greater than L _1 or: 
[° 194 ] {([{^-A}] p )-B}= {{0-A}-B +E x }= {{g-Am +E ^fo-A-B} +E i . 

[0195] Similarly, this implies that either |([{#-B}] q )-A| is not 

greater than L _1 or: 
[° 196 ] {([{^-B}] Q )-A}= {{0-B}-A +E 2 }= {fo-BJ-A} +E 2 ={0-B-A} +E ? . 

[0197] since A-B= B-A, one has: 

[° 198 ] {([^■A}] p )-B}-{([{^-B}] Q )-A}=£ i -£ 2 =e-l" 1 , 

[0199] where -1< 6< 1. □ 

[0200] v\/e say that a vector x=(x ,x x ) is (K, D)-consistent if: 

12 n 



[0201] (_ Cj _ Cj _ t _ C ) < x -[x] < (C, C, C) , 

K. 

[0202] where c=l/2-l/(2D). 

[0203] corollary. In the notation of the Proposition, if L=D-Kand 
one the vectors {([{#■ A}] p )-B} and {([{<?■ B}] q ) -A} is (K, 
D)-consistent then 

[° 204 ] [([te-AJD-Bl = [([{0-BJ1 )-A] . 

r K C_i Iv 

[0205] For the 2-dimensional embodiment of the system hereof 
the Corollary is applied with n=2, K=(K,K). Therefore, the 
Corollary guarantees that (s , s ) = (s' , 5' ) in the proto- 
col. 

[0206] | n creating a geometric key establishment system in ac- 
cordance with the two-dimensional embodiment hereof 
(and with the following small numbers for ease of illustra- 
tion), a first step is to choose publicly available parame- 
ters of the system: a vector g=(g , g 2 ) and integer param- 
eters D, N, K greater than 1 each. Take, for example, g i = 
V2, g 2 = V3, N = K = 8, D = 2. Next, suppose that Alice 
chooses a pair of secret integers (a Q , a^ = (48176925, 
18034725). Alice calculates the vector 

[0207] (y y ) =({ g a + ga},{-ga+ga }) 
w 1 2 1 0 2 1 1 1 20 

[0208] eac h coordinate of which rounded to D+N+K = 18 deci- 
mal places: 



[0209] (y j y ) = ({ V2-48176925 + V3-18034725}, 

{-V2-18034725 + V3-48176925})= 
[0210] ({68132460.728431422183990297539596+31237060.0 

00532620547511774721314}, 

{-25504952.688669116604000035676723 + 83444881.8 
52435233704474767836253}) 
[0211] =(0.728964042731502072, 0.163766117100474732) 

[0212] anc | sends this vector (y , y ) to Bob. Suppose that at the 
same time Bob a pair of secret integers (b Q , b ) = 
(19082792, 27045821). Alice calculates the vector 

[0213] ( z z )=({ g b +gb}, {-gb+gb }) 

1 2 1 0 2 1 1 1 2 0 

[0214] eac h coordinate of which rounded to D+N+K = 18 deci- 
mal places: 

[0215] (z , z )= ({ V2-19082792 + V3-27045821}, 
{-V2-27045821+ V3-19082792})= 
({26987143.254344799212512475172839+ 
46844736.104413300451707772339473}, 
{-38248566.863715063905876737732694+ 
33052365.294268911065907204826118})= 

[0216] =(0.358758099664220248, 0.430553847160030467) 

[0217] anc | sends this vector (z p z ) to Alice. Upon receiving the 
vector (y , y ) from Alice, Bob calculates the vector (k , k 



) by the formula: 
[0218] (fc k ) = ({ y b+yb}, {-yb+yb}) 

1 2^10 ' 2 1 ' 1 1 '20 

[0219] with the precision K + D = 10 decimal places after dot: 

[0220] {k jk 
1 

)=({0. 72896404273 1502072-19082792+0. 1637661171 

2 00474732-27045821}, {- 

0.728964042731502072-27045821 + 

0.163766117100474732-19082792}) = 
[0221] =({13910669.202924365887545024+4429189.0889644 

78616694972U-19715431.015 152556100441112 + 3 12 

5114.749276002412011744}) 
[0222] =(0.2918888445, 0.7341234463) 

[0223] since this vector is (K,K, D)-consistent (i.e., its first coor- 

th th 

dinate has digits 4 and 5 at 9 and 10 places after dot, 
and its second coordinate has digits 6 and 3 at 9 th and 10* 
places after the dot), the vector (k , k ), being rounded to 
the first K = 8 digits of each coordinate, constitutes the 
geometric key in possession of Bob: 
[0224] (0.29188884, 0.73412345). 

[0225] Upon receiving the vector (z , z ) from Bob, Alice calcu- 
lates the vector (k' , k' ) by the formula: 
[0226] ( k . k ' ) = ({ z . a + z . a }, {- z -a + z -a }) 

12 10 2 1 11 2 0 



[0227] W j t h the precision K + D = 10 decimal places after dot: 

[0228] (k' k' 2 )=({0. 358758099664220248-48176925 + 

0.430553847160030467-18034725}, {- 

0.358758099664220248-18034725 + 

0.430553847160030467-48176925})= 
[0229] =({17283862.0606656640713774 + 

7764920.231223180463966575}, {- 

6470103.6689668045121118 + 

20742760.403090250806373975})= 
[0230] =(0.2918888445, 0.7341234463) 

[0231] Since this vector is (K, D)-consistent (i.e., its first coordi- 

th th 

nate has digits 4 and 5 at 9 and 10 places after dot, 
and its second coordinate has digits 6 and 3 at 9 th and 10 1 
places after the dot), the vector (k' , k' ), being rounded 
to the first K = 8 digits of each coordinate, constitutes the 
geometric key in possession of Alice: 
[0232] (0.29188884, 0.73412345). 

[0233] T hus, the vector (0.29188884, 0.73412345) is the geo- 
metric key shared by Alice and Bob. This key can be used 
in any major symmetric cryptosystem. 

[0234] The invention has been described with reference to a par- 
ticular preferred embodiment, but variations within the 



spirit and scope of the invention will occur to those skilled 
in the art. For example, it will be understood that the 
public information g=(g , g 2 ), D, N, K of the system can be 
stored on any suitable media, for example a "smart card," 
which can be provided with a microprocessor capable of 
performing arithmetic operations so that the keys can be 
distributed to and/or from the smart card. 



